- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to filter multiple values in saved search ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to filter multiple values in saved search using single token
Please help me to select the multiple values from the saved search. i need to filter 2 or 3 values out of 6. this is the fieldname targetType =(name, employee, statement)
This is my search :
|inputlookup target_lookup
| where targetType LIKE("$value$")
| makemv delim="," targetType
|table targetType
Saved search :
| savedsearch reportname $value$
This is not working for me. could you please help me to resolve the issue I will be very happy if anyone resolves this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harish_l ,
Dyude try this,
| inputlookup target_lookup
| search
[| gentimes start=-1
| eval targetType="$targetType$"
| makemv targetType delim=","
| mvexpand targetType
| table targetType] | table targetType
run the savedsearch by passing multiple values
| savedsearch reportname targetType="value1,value2"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vinod94
I have tried the above query but getting only one value. I need to display 2 values
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can u show the savedsearch query.? how are you running it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do it by giving
|inputlookup target_lookup
| where targetType LIKE("$value1$") OR targetType LIKE("$value2$") OR targetType LIKE("$value3$")
| makemv delim="," targetType
|table targetType
| savedsearch reportname value1=val1 value1=val2 value1=val3
Or just create a macro and use it in a similat way
Then just call \macro_name(value1)`,`macro_name(value2)`,`macro_name(value3)``
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am getting only one value using this query. how to get the 2 or 3 values using single token
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you get us a sample of your lookup and what you'd like to have as a result please ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookup data has only one field name with 5 values
FieldsName: targetType
Fielde Value: Count
Duration
Uptime
Down
Messgae
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
